Shimitar

Hi fellow self-hoster.

Almost one year ago i did experiment with Immich and found, at the time, that it was not up to pair to what i was expecting from it. Basically my use case was slightly different from the Immich user experience.

After all this time i decided to give it another go and i am amazed! It has grown a lot, it now has all the features i need and where lacking at the time.

So, in just a few hours i set it up and configured my external libraries, backup, storage template and OIDC authentication with authelia. All works.

Great kudos to the devs which are doing an amazing work.

I have documented all the steps of the process with the link on top of this post, hope it can be useful for someone.

I have a remote VPS that acts as a wireguard server (keys omitted):

[Interface]
Address = 10.0.0.2/24
[Peer] # self host server
AllowedIPs = 10.0.0.1/32

(The VPS is configured to be a router from the wg0 to it's WAN via nft masquerading)

And i have another server, my self-host server, which connects to the VPS trough wireguard because it uses wireguard tunnel as a port-forwarder with some nft glue on the VPS side to "port forward" my 443 port:

[Interface]
Address = 10.0.0.1/24
[Peer]
AllowedIPs = 10.0.0.2/24

(omitted the nft glue)

My self-hosted server default route goes trough my home ISP and that must remain the case.

Now, on the self-host server i have one specific user that i need to route trough the wireguard tunnel for it's outgoing traffic, because i need to make sure it's traffic seems to originate from the VPS.

The way i usually handle this is with a couple of nft commands to create a user-specific routing table and assign a different default route to it (uid=1070):

 ip rule add uidrange  1070-1070 lookup 1070
ip route add default via 192.168.0.1 dev eno1 table 1070

(this is the case, and works, to use eno1 as default gateway for user 1070. Traceroute 8.8.8.8 will show user 1070 going trough eno1, while any other user going trough the default gateway)

If i try the same using the wg0 interface, it doesn't work.

 ip rule add uidrange  1070-1070 lookup 1070
ip route add default via 10.0.0.2 dev wg0 table 1070

This doesnt work, wireguard refuses to allow packets trough with an error like:

ping 8.8.8.8
From 10.0.0.1 icmp_seq=3 Destination Host Unreachable                                            
ping: sendmsg: Required key not available 

I tried to change my self-host server AllowedIps like this:

[Interface]
Address = 10.0.0.1/24
[Peer]
AllowedIPs = 10.0.0.2/24, 0.0.0.0/0

and it works! User 1070 can route trough wireguard. BUT... now this works just too much... because all my self-host server traffic goes trough the wg0, which is not what i want.

So i tried to disable the WireGuard messing with routing tables:

[Interface]
Address = 10.0.0.1/24
Table = off
[Peer]
AllowedIPs = 10.0.0.2/24, 0.0.0.0/0

and manually added the routes for user 1070 like above (repeat for clarity):

 ip rule add uidrange  1070-1070 lookup 1070
ip route add default via 10.0.0.2 dev wg0 table 1070

The default route now doesnt get replaced, but now, without any error, the packers for user 1070 just don't get routed. ping 8.8.8.8 for user 1070 just hangs

I am at a loss.... Any suggestions?

(edits for clarity and a few small errors)

Hi all.

I have been hosting my mail (not "self" like at home, but hosting on a rented server on the 'net) for the last 20 years going the old good way of postfix+dovecot+OpenDKIM/DMARC/SpamAssassin and all the glue and bells.

Having the opportunity to rethink the entire approach (which works fine, but its pretty cumbersome and complex to replicate) i was looking at Stalwart mail server which looks promising and nice, being written in rust following modern principles and such.

Asking to anybody who has been using Stalwart, is it good? Does it deliver being a solid mail server?

Asking to people hosting it's own mail, is there a better solution out there?

Asking to people commenting against hosting a mail server, please refrain from doing so, as i'have been doing that with success for the past 20 years that's what i will be keep doing for the foreseeable future as well.

UPDATE: after many comments, let me be clear that i have nothing against systemd at a technical level. It indeed solves issues that people had and found it's way in most mainstream distros for good reasons, beside being pushed by Redhat and Debian, which makes for basically every other mainstream distro out there without much choice. I never used it long enough to judge it, and i dont intend to judge it from a technical point of view. I am worried that such a centra piece of technology deeply interwined with linux is under direct control of IBM and Microsoft (who is the employer of the systemd lead). This might mean nothing, or this could be important for the long time future of linux freedom.

I have recently been exposed to a lot of stuff against systemd.

I know its an old debate that has inflamed people for a long time, I am not looking into restarting it as I never took a stance into it in the past anyway.

I am myself a almost 30+ years power user of Linux and I have never used systemd much myself since it never fixed any issues I had with the previous approaches, and since I am a good user of Gentoo, always loved the freedom to just keep using OpenRC and din't ever bother with systemd.

I like the Unix approach and at the same time, if it is not broken don't fix it, is my basic idea. So my approach to systemd has been not of dislike, rather of I don't care, I don't need it. And I never needed it anyway.

After reading trough most of the links below I start to think that maybe my stance could be more than simple technical.

What are other lemmy-ers idea on all this?

I didn't knew about Microsoft taking over the Linux Foundation either, and I am getting concerned about the real freedom behind my beloved Linux.

TLDR: I don't dislike systemd, I never cared about systemd. Do I need to start caring now due to all this non technical issues?

Note: i a copying verbatim the following article to stress that these are not my personal opinions and that i didnt do a proper research on the topic, except reading (most) of the links below.

---

(The following is a post on the #libreware telegram channel on the 7th/8th of February 2025)

Lennart Poettering intends to replace "sudo" with #systemd's run0. Here's a quick PoC to demonstrate root permission hijacking by exploiting the fact "systemd-run" (the basis of uid0/run0, the sudo replacer) creates a user owned pty for communication with the new "root" process.

This isn't the only bug of course, it's not possible on Linux to read the environment of a root owned process but as systemd creates a service in the system slice, you can query D-BUS and learn sensitive information passed to the process env, such as API keys or other secrets.

https://fixupx.com/hackerfantastic/status/1785495587514638559

Nitter mirror: https://xcancel.com/hackerfantastic/status/1785495587514638559

Here are some links about #systemd #alternatives for #Linux in no particular order. Which are your favorite alternatives and distros?

https://suckless.org/sucks/systemd/

https://unixsheikh.com/articles/the-real-motivation-behind-systemd.html

https://sysdfree.wordpress.com/

https://nosystemd.org/

https://skarnet.org/software/systemd.html

https://the-world-after-systemd.ungleich.ch/

https://ewontfix.com/14/

https://forums.debian.net/viewtopic.php?t=120652

https://www.devuan.org/os/announce/

https://www.devuan.org/os/init-freedom

https://thehackernews.com/2019/01/linux-systemd-exploit.html

https://judecnelson.blogspot.com/2014/09/systemd-biggest-fallacies.html

https://chiefio.wordpress.com/2016/05/18/systemd-it-keeps-getting-worse/

https://systemd-free.artixlinux.org/why.php

Some more added here too: https://start.me/p/Kg8keE/priv-sec

#systemd #Linux

Hi all!

This is my first post from my self-hosted Lemmy instance!

Thanks all you guys who gave me suggestions and help!

Hope you can see it, BTW :)